Configuring OSPF Authentication on a Virtual Link

Document ID: 8313

Author: Syed Faraz Shamim

Introduction

All areas in an Open Shortest Path First (OSPF) autonomous system must physically connect to the backbone area (area 0). However, in cases where this physical connection is not possible, you can use a virtual link to connect to the backbone through a nonbackbone area. You can also use virtual links to connect two parts of a partitioned backbone through a nonbackbone area. You can also enable OSPF authentication on virtual links.

This document describes how to enable plain text and Message Digest 5 (MD5) authentication on a virtual link in an OSPF network. Refer to Sample Configuration for Authentication in OSPF for more information on how to configure OSPF authentication.

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

• Knowledge of OSPF routing protocol and its operations
• Knowledge of OSPF virtual links concept

For more information on OSPF routing protocol and the concept of virtual links in OSPF, refer to OSPF Design Guide.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco 2500 Series Routers
• Cisco IOS® Software Release 12.2(27)

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool ( registered customers only) to find more information on the commands used in this document.

Network Diagram

This document uses this network setup:

Configurations

This document uses these configurations:

• Configure Plain Text Authentication
• Configure MD5 Authentication

Configure Plain Text Authentication

Plain text authentication sends the passwords through the network as clear text. In this configuration, Router 3.3.3.3 has no interface in area 0, but connects virtually to area 0. This configuration makes Router 3.3.3.3 a virtual Area Border Router (ABR), so you must enable authentication for area 0 on Router 3.3.3.3. This section provides the commands to configure plain text authentication in a virtual link scenario.

Note: The authentication key that the configuration uses defines the key (the password) that is inserted directly into the OSPF header. The key is inserted into the header when the Cisco IOS Software originates routing protocol packets. You can assign a separate password to each network on a per-interface basis. All neighboring routers on the same network must have the same password in order to exchange OSPF information.

Configure MD5 Authentication

MD5 authentication provides better security than plain text authentication. The security is better because this method uses the MD5 algorithm in order to compute a hash value from the contents of the OSPF packet and a password (or key). This hash value is transmitted in the packet, along with a key ID and a nondecreasing sequence number. The receiver, which knows the same password, calculates its own hash value. This section provides the commands to configure MD5 authentication in a virtual link scenario.

Verify

Use this section to confirm that your configuration works properly.

The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

• show ip ospf virtual-links Displays parameters and the current state of OSPF virtual links.
• show ip route Displays the current state of the routing table.

Sample show Command OutputConfigure Plain Text Authentication

  r3.3.3.3# show ip ospf virtual-links

  Virtual Link OSPF_VL0 to router 1.1.1.1 is up

  !--- The status of the virtual link displays.

    Run as demand circuit
    DoNotAge LSA allowed

  !--- This specifies that OSPF runs as a demand circuit over virtual links,
  !--- and so link-state advertisements (LSAs) are not refreshed (not aged out).

    Transit area 1, via interface Serial0, Cost of using 128
    Transmit Delay is 1 sec, State POINT_TO_POINT,
    Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:01
    Adjacency State FULL (Hello suppressed)

  !--- The status of the neighbor adjacency displays.

    Index 1/2, retransmission queue length 0, number of retransmission 1
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 0 msec, maximum is 0 msec
    Simple password authentication enabled

  !--- The type of authentication that is enabled displays.
  !--- The authentication type is simple password.

    r3.3.3.3#

Note: The output shows that OSPF hellos are suppressed. This means that, once the virtual link is up, no hellos are exchanged. OSPF suppresses the hellos because it considers virtual links to be demand circuits. Normally, OSPF sends hellos every 10 seconds and refreshes its LSAs every 30 minutes. However, even this amount of traffic is undesirable on demand circuits. The use of OSPF demand circuit options suppresses hello and LSA-refresh functions. As a result, any changes that you make to the OSPF authentication do not take effect until you clear the OSPF process with the clear ip ospf process command. An example is a change of the authentication type on the routers.

  r3.3.3.3# show ip route

  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
    i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
    * - candidate default, U - per-user static route, o - ODR
    P - periodic downloaded static route
  Gateway of last resort is not set
  C 3.0.0.0/8 is directly connected, Loopback0
  O 4.0.0.0/8 [110/138] via 6.0.0.2, 00:31:08, Serial0
  O 5.0.0.0/8 [110/128] via 6.0.0.2, 22:55:44, Serial0
  C 6.0.0.0/8 is directly connected, Serial0
  C 12.0.0.0/8 is directly connected, Ethernet0
  r3.3.3.3#

Sample show Command OutputConfigure MD5 Authentication

  r3.3.3.3# show ip ospf virtual-links

  Virtual Link OSPF_VL1 to router 1.1.1.1 is up

  !--- The status of the virtual link displays.

    Run as demand circuit
    DoNotAge LSA allowed

  !--- This specifies that OSPF runs as a demand circuit over virtual links,
  !--- and so LSAs are not refreshed (not aged out).

    Transit area 1, via interface Serial0, Cost of using 128
    Transmit Delay is 1 sec, State POINT_TO_POINT,
    Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:01
    Adjacency State FULL (Hello suppressed)

  !--- The status of the neighbor adjacency displays.

    Index 1/2, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec
    Message digest authentication enabled

  !--- The type of authentication that is enabled displays.
  !--- The authentication type is MD5.

    Youngest key id is 1

    r3.3.3.3# show ip route

  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
    i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
    * - candidate default, U - per-user static route, o - ODR
    P - periodic downloaded static route
  Gateway of last resort is not set
  C 3.0.0.0/8 is directly connected, Loopback0
  O 4.0.0.0/8 [110/138] via 6.0.0.2, 00:02:41, Serial0
  O 5.0.0.0/8 [110/128] via 6.0.0.2, 00:02:51, Serial0
  C 6.0.0.0/8 is directly connected, Serial0
  C 12.0.0.0/8 is directly connected, Ethernet0

Troubleshoot

Use this section to troubleshoot your configuration.

Note: Refer to Important Information on Debug Commands before you use debug commands.

• debug ip ospf adjDebugs the OSPF neighbor adjacency establishment process.

Sample debug Command OutputConfigure Plain Text Authentication

  r3.3.3.3# debug ip ospf adj

  23:31:41: OSPF: Interface OSPF_VL0 going Up
  23:31:41: OSPF: Build router LSA for area 0, router ID 3.3.3.3,   seq 0x8000002E
  23:31:41: OSPF: Build router LSA for area 1, router ID 3.3.3.3,   seq 0x8000002E
  23:31:41: OSPF: Build router LSA for area 2, router ID 3.3.3.3,   seq 0x80000031
  23:31:51: OSPF: Rcv DBD from 1.1.1.1 on OSPF_VL0 seq 0x887   opt 0x62 flag 0x7
  len 32 mtu 0 state INIT
  23:31:51: OSPF: 2 Way Communication to 1.1.1.1 on OSPF_VL0,   state 2WAY
  23:31:51: OSPF: Send DBD to 1.1.1.1 on OSPF_VL0 seq 0x2102   opt 0x62 flag 0x7 len 32
  23:31:51: OSPF: First DBD and we are not SLAVE
  23:31:51: OSPF: Rcv DBD from 1.1.1.1 on OSPF_VL0 seq 0x2102   opt 0x62 flag 0x2
  len 172 mtu 0 state EXSTART
  23:31:51: OSPF: NBR Negotiation Done. We are the MASTER
  23:31:51: OSPF: Send DBD to 1.1.1.1 on OSPF_VL0 seq 0x2103   opt 0x62 flag 0x3 len 172
  23:31:51: OSPF: Database request to 1.1.1.1
  23:31:51: OSPF: sent LS REQ packet to 5.0.0.1, length 12
  23:31:51: OSPF: Rcv DBD from 1.1.1.1 on OSPF_VL0 seq 0x2103   opt 0x62 flag 0x0 len 32
  mtu 0 state EXCHANGE
  23:31:51: OSPF: Send DBD to 1.1.1.1 on OSPF_VL0 seq 0x2104   opt 0x62 flag 0x1 len 32
  23:31:51: OSPF: Rcv DBD from 1.1.1.1 on OSPF_VL0 seq 0x2104   opt 0x62 flag 0x0
  len 32 mtu 0 state EXCHANGE
  23:31:51: OSPF: Exchange Done with 1.1.1.1 on OSPF_VL0
  23:31:51: OSPF: Synchronized with 1.1.1.1 on OSPF_VL0, state   FULL

  !--- This indicates the establishment of neighbor adjacency.

  23:31:51: %OSPF-5-ADJCHG: Process 2, Nbr 1.1.1.1 on   OSPF_VL0 from LOADING to FULL,
  Loading Done
  23:31:52: OSPF: Build router LSA for area 0, router ID 3.3.3.3,   seq 0x8000002F
  23:32:23: OSPF: Dead event ignored for 1.1.1.1 on demand   circuit OSPF_VL0
  r3.3.3.3#

Sample debug Command OutputConfigure MD5 Authentication

  r3.3.3.3# debug ip ospf adj

  23:48:06: OSPF: Interface OSPF_VL1 going Up
  23:48:06: OSPF: Send with youngest Key 0
  23:48:07: OSPF: Build router LSA for area 0, router ID 3.3.3.3,   seq 0x80000001
  23:48:07: OSPF: Build router LSA for area 2, router ID 3.3.3.3,   seq 0x80000033
  23:48:07: OSPF: Build router LSA for area 1, router ID 3.3.3.3,   seq 0x80000030
  23:48:14: OSPF: 2 Way Communication to 1.1.1.1 on OSPF_VL1,   state 2WAY
  23:48:14: OSPF: Send DBD to 1.1.1.1 on OSPF_VL1 seq 0x1EA   opt 0x62 flag 0x7 len32
  23:48:14: OSPF: Send with youngest Key 1
  23:48:14: OSPF: Rcv DBD from 1.1.1.1 on OSPF_VL1 seq 0x3FB   opt 0x62 flag 0x7
  len 32 mtu 0 state EXSTART
  23:48:14: OSPF: First DBD and we are not SLAVE
  23:48:16: OSPF: Send with youngest Key 1
  23:48:19: OSPF: Send DBD to 1.1.1.1 on OSPF_VL1 seq 0x1EA   opt 0x62 flag 0x7 len 32
  23:48:19: OSPF: Send with youngest Key 1
  23:48:19: OSPF: Retransmitting DBD to 1.1.1.1 on OSPF_VL1 [1]
  23:48:19: OSPF: Rcv DBD from 1.1.1.1 on OSPF_VL1 seq 0x3FB   opt 0x62 flag 0x7 len 32
  mtu 0 state EXSTART
  23:48:19: OSPF: First DBD and we are not SLAVE
  23:48:19: OSPF: Rcv DBD from 1.1.1.1 on OSPF_VL1 seq 0x1EA   opt 0x62 flag 0x2
  len 172 mtu 0 state EXSTART
  23:48:19: OSPF: NBR Negotiation Done. We are the MASTER
  23:48:19: OSPF: Send DBD to 1.1.1.1 on OSPF_VL1 seq 0x1EB   opt 0x62 flag 0x3 len 112
  23:48:19: OSPF: Send with youngest Key 1
  23:48:19: OSPF: Send with youngest Key 1
  23:48:19: OSPF: Database request to 1.1.1.1
  23:48:19: OSPF: sent LS REQ packet to 5.0.0.1, length 48
  23:48:19: OSPF: Rcv DBD from 1.1.1.1 on OSPF_VL1 seq 0x1EB   opt 0x62 flag 0x0 len 32
  mtu 0 state EXCHANGE
  23:48:19: OSPF: Send DBD to 1.1.1.1 on OSPF_VL1 seq 0x1EC   opt 0x62 flag 0x1 len 32
  23:48:19: OSPF: Send with youngest Key 1
  23:48:19: OSPF: Build router LSA for area 0, router ID 3.3.3.3,   seq 0x80000030
  23:48:19: OSPF: Rcv DBD from 1.1.1.1 on OSPF_VL1 seq 0x1EC   opt 0x62 flag 0x0 len 32
  mtu 0 state EXCHANGE
  23:48:19: OSPF: Exchange Done with 1.1.1.1 on OSPF_VL1
  23:48:19: OSPF: Synchronized with 1.1.1.1 on OSPF_VL1, state   FULL

  !--- This indicates the establishment of neighbor adjacency.

  23:48:19: %OSPF-5-ADJCHG: Process 2, Nbr 1.1.1.1 on   OSPF_VL1 from LOADING to FULL,
  Loading Done

NetPro Discussion Forums - Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.

Related Information

• OSPF Support Page
• OSPF Design Guide
• OSPF Virtual Link
• Sample Configuration for Authentication in OSPF
• OSPF Demand Circuit Feature
• Technical Support & Documentation - Cisco Systems

All contents are Copyright © 1992-2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.